If a value is used after a try-block finishes, we need to make sure that
the catch-block can restore its value. Otherwise we'd accidentally drop
the value on register merge thinking we're in a liveness hole on the
merge after the catch (since the catch cleared all the registers). This
then breaks JumpLoops that need to restore the value in a specific
register.
Bug: v8:7700, chromium:1392061
Change-Id: I7255ccf9b36bf36583ad612882137b251c48caed
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4055111
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84483}
The flag --harmony-struct changes the global object which is
observable when doing differential fuzzing. The flag will now be
ignored to close ongoing false positives. It could be enabled in
the future if the global object stays equal in all compared
configurations, which could be faked behind the flag:
--correctness-fuzzer-suppressions.
No-Try: true
Bug: chromium:1393020
Change-Id: Ib5f3325a742dd32cac34febca58bf99e0184ac97
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4055627
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84478}
This uses arch-specific config keys for gcmole prepared by:
https://crrev.com/c/4055685
In a follow up, we can move the runs to bots with the respective
architecture.
Bug: v8:9287
Change-Id: Iedbb44490195b49d560658451263a1abdc2d3258
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4055320
Reviewed-by: Alexander Schulze <alexschulze@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84477}
HeapTest.GrowAndShrinkNewSpace emulates a GC cycle for shrinking new
space. Starting a new MinorMC cycle should first finalize sweeping from
the previous GC cycle.
Bug: v8:12612
Change-Id: Iea35b54ba0f7be3b7870c557c92042a8d9896045
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4055625
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84475}
There are still tests that use EmbedderHeapTracer, which would crash
with --minor-gc enabled. Bail out from PerformWrapperTracing() if
there is no cpp marking worklist to MarkingWorklists (i.e. Publish()
returns false).
Bug: v8:13475
Change-Id: I04708ffe8ebaf18f94f1a3fc60d9f6afeef13e03
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4055505
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84473}
This DCHECK doesn't hold anymore since we are comparing the old
and the new target objects.
Bug: v8:13267
Change-Id: I7fe1ec58f165555eab003bf021b856a5095e8daf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4056256
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84472}
Objects in shared space cannot have pointers to objects outside
the shared heap (apart from read only space). Improve heap
verification to also handle this invariant.
Bug: v8:13267
Change-Id: I28c5987bd6f74658eb75329be7c2d011f9569913
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4055683
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84470}
During a shared garbage collection, the heap was verified both in
Heap::PerformGarbageCollection and Heap::PerformSharedGarbageCollection
and concurrent marking was paused/resumed twice. This CL removes what
is not necessary and fixes the order: pause, verify, GC, verify, resume.
Change-Id: I0f687a37785cbb99691fc83c0c80c8ca4a30bb71
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4042242
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84466}
The WasmModuleBuilder is used in tests for creating Wasm modules. It can
be pretty slow for huge modules, in particular in simulator builds or in
slow variants like gc-stress.
This CL adds a fast path to the code section creation, for functions
without locals. This makes the wasm-max-functions test 1.45x faster in
the arm64 simulator (generation of the code section alone gets 2.2x
faster).
R=ahaas@chromium.org
Change-Id: I993542448fb4f0b5fdadca13c59691d86844e2a6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4051606
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84465}
Maps might be allocated in the shared space as well when using
--shared-space.
Bug: v8:13267
Change-Id: I8e5e0742d0dc519d676d1adb3f2fffc8a17ca3c7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4055503
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84464}
Pass the map list into BuildCheckMaps as a base::Vector (a non-owning
span type) rather than ZoneVector, so that it can accept either an
existing ZoneVector, or an on-stack array.
Bug: v8:7700
Change-Id: Iaef0986433bc7984ee28883c6f1e9fb32f538ecb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4004959
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84463}
Make the process-wide code range a once-initialised leaky object, rather
than having a global weak_ptr + per-heap shared pointers and allowing it
to be collected when all Isolates die.
These weak pointers add locking overhead when accessing the code range,
which shows up in GC and deoptimization traces when attempting to
calculate Code objects from PCs. The process-wide pointer compression
cage is already leaky, so it makes sense for the code range to be
similar.
Bug: v8:11460
Change-Id: Ibebd468ebad9eafe8aec49f575cdbf604e4b6cc0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4051201
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84462}
This validity cell is already invalidated from its creation, which
means this object is actually immutable. Move it into RO space to make
use of this property.
There was one store to that object which simply overwrote that
invalid marker with the same value. This CL changes this into a
conditional store.
Bug: v8:13267
Change-Id: I12ab5a41bd9fc0a62523a4ac35607c4b38b2acee
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4055895
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84461}
We do not record OLD_TO_SHARED slots in the shared heap itself. This
invariant can be checked in the heap verifier.
Bug: v8:13267
Change-Id: Ie2f3fb0923c597c962a1139d2986258a65998648
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4055663
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84460}
When using UpdateTypedSlotHelper::UpdateTypedSlot the slot argument
passed to the callback is a temporary slot and not the "actual" slot
in the code object.
Therefore CheckAndScavengeObject doesn't update the code object itself
but just that temporary slot. The slot in the code object is only
updated after the callback returns. This means
UpdateTypedSlotHelper::GetTargetObject can't be used in
CheckOldToNewSlotForSharedTyped since that would read the old target
object from the code object and not the new target of that temporary
slot. In such cases this method would not see the that the object got
promoted into shared heap and not record an old-to-shared slot.
Bug: v8:13267, chromium:1392865
Change-Id: I30ef5ed1bc441cc5700b921dc880b9b3fcbb78d7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4051125
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84457}
StringFromCharCode expects an int32 value, but maglev isn't careful
about keeping the top 32 bits of the register valid (to avoid needing to
sign extend after every 32-bit operation). This means the top bits of
an int32 register might be invalid when it is used -- in particular,
complex addressing uses its inputs as 64-bit values, including the
index.
Long story short, we need to zero the top bits of the int32 char_code
used as the index into the single character table.
Bug: v8:7700
Change-Id: I3540230c865a1d07c105f35d024d598cc8e15180
Fixed: chromium:1392585
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4055502
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84456}
This reverts commit a63f9912b7.
Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64/50370/overview
Original change's description:
> [maglev] Spill nodes that we'd otherwise fail to merge
>
> This makes sure that catch-blocks don't accidentally drop values that
> are only in registers, which can happen if we throw in deferred throwing
> code (e.g., in ThrowReferenceErrorIfHole). At the latest we'll discover
> such values when trying to merge after the catch block, noticing we
> can't find the value through the catch-block. Unfortunately it's not
> trivial to figure out where that merge happens, so we just
> unconditionally spill the value.
>
> For liveness holes (as the comment previously mentioned) the value
> should already be dead and dropped on the merge. Running --maglev-stress
> etc shows that no code currently hits this path, except for the added
> test that shows the issue with catch blocks.
>
> Bug: chromium:1392061
> Change-Id: Ied0b1d4b430c9af2e7ae3dfc004ecb45037c5735
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4051605
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Toon Verwaest <verwaest@chromium.org>
> Auto-Submit: Toon Verwaest <verwaest@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84448}
Bug: chromium:1392061
Change-Id: Iddbd7b19bc73e352dbd6867db990238f80adbdda
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4055504
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84455}
Function#call needs a function to call, so don't try to lower it to a
builtin call when there's no function.
Bug: v8:7700
Change-Id: I6705e2900731b2be2830231f8ab0dbfcdca5f594
Fixed: chromium:1392936
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4055680
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84451}
This makes sure that catch-blocks don't accidentally drop values that
are only in registers, which can happen if we throw in deferred throwing
code (e.g., in ThrowReferenceErrorIfHole). At the latest we'll discover
such values when trying to merge after the catch block, noticing we
can't find the value through the catch-block. Unfortunately it's not
trivial to figure out where that merge happens, so we just
unconditionally spill the value.
For liveness holes (as the comment previously mentioned) the value
should already be dead and dropped on the merge. Running --maglev-stress
etc shows that no code currently hits this path, except for the added
test that shows the issue with catch blocks.
Bug: chromium:1392061
Change-Id: Ied0b1d4b430c9af2e7ae3dfc004ecb45037c5735
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4051605
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84448}
When promoting an object into the shared heap atomically updating the
map word to a forwarding pointer might fail when another thread is
faster. In such cases we need to replace the unused copy of that
object with a filler. We could also "undo" the last allocation in the
future but since this should be rare and hard to test don't do this
for now.
Bug: v8:13267
Change-Id: Ic608942e0c4fe8bd53d25b688875098474a34021
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4051126
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84445}
A shared GC needs to reset weak global handles that store pointers
to shared objects which die during the shared GC.
Bug: v8:13267
Change-Id: I3800bf1173f42dd9ab96be4add462547b2a8f4a0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4051602
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84444}
When a ETW tracing sessions starts V8 emits events for all already
jitted functions. In very large apps this can cause a noticeable UI
jank. Most of this time is spent re-parsing all already jitted
functions to ensure that the source positions data for these functions
is available. But for ETW events we only need the initial location of
a function, not its full source position data, therefore we should be
able to omit the reparsing.
Bug: v8:11043
Change-Id: I9f1866464fdb8295ca2118de3ab1a72ce6e0f5b7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4049920
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Paolo Severini <paolosev@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#84440}
In some situations we might want to start a global safepoint from a
shared isolate. However, Isolate::shared_heap_isolate() can't be used
on a shared isolate. This CL avoids this invocation for shared
isolates.
This CL also stops logging for the WasmEngine for shared isolates. A
shared isolate isn't added to the WasmEngine.
Bug: v8:13267, v8:13524
Change-Id: I58f6d81e61ce7dba619a4902afb50a6582161a66
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4048481
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84439}
Complete sweeping time was accounted based on the GC that will be
started, not the GC that will be finished.
Bug: v8:12612
Change-Id: I2b914abf01be8eecfe7b4ec011d8893407867aef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4051204
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84438}
This reverts commit 5e07bb70e5.
Reason for revert: --struct-harmony caused an initial flood of
bugs on the correctness fuzzer. Let's reland this once we've
sorted out those.
Original change's description:
> [heap] Enable shared heap flags on more fuzzers
>
> Enable --shared-string-table and --struct-harmony on more fuzzers.
>
> Bug: v8:13267
> Change-Id: Iedea33f5c06563aac4d0f0d0eb880f7ee6208d9f
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4043902
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84412}
Bug: v8:13267
Change-Id: Id7973fa312cdddff6c49b672d0496c33fc8828e4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4051202
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#84436}
